Welcome to NBlog, the NoticeBored blog

Mar 31, 2007

IT Pro, reporting on a study by Vanson Bourne, points out that salemen's dependence on electronic communications makes them more vulnerable than most to targeted phishing attacks. Such attacks typically deliver Trojans in office files sent as email attachments. The problem is especially acute in SMEs (Small to Medium Sized Enterprises - also known as SMBs ...Businesses). The author emphasises that SMEs need security awareness but offers no suggestions on how this might actually be achieved in practice.

Microsoft acknowledges that a recent Internet Explorer security patch fixed IE6 but not the latest IE7. Exploit code is apparently 'in the wild'. Perhaps now is a good time to consider changing to Firefox or one of the other non-M$ browsers?

Another advisory concerns a security flaw in Windows' handling of animated cursor files, which is also being actively exploited 'in the wild'. Time to take a look at Linux, maybe?

Mar 29, 2007

We've released an updated and extended awareness module on network security for April 2007, incorporating materials on securing wireless networks, Web browsing and a variety of other networking security issues.

Mar 23, 2007

The techoes at SecureWorks describe the painstaking forensic analysis of "Gozi", a Trojan horse program on a customer's PC. The Trojan (which was not at first recognized by antivirus packages) was found to be stealing sensitive data (prior to it being encrypted and sent to SSL websites by IE or Javascript) and secretly sending it to a remote server. From there, the stolen information was put up for sale on the black market, along with associated hacking services.

The description, like the Trojan, is complex and technical but makes fascinating reading for IT professionals. The analysts used virtual machines, Safe Mode, a debugger and tools from SysInternals and Wireshark/Ethereal to dissect the beast. Luckily the antivirus companies' tech gurus have the patience and skills to do this kind of analysis on our behalf.

How does Torbay Council in sleepy Devonshire, England, send confidential information about council workers (names, addresses, salary, banking details - that sort of thing) to the auditors. Why, they simply cut a CD and pop it in an envelope ... and when the first one goes missing in the post, they do it again and that one also goes missing in action.

Mar 21, 2007

A computer technician reformatting a disk drive at the Alaska Department of Revenue accidentally deleted applicant information for a $38bn oil-funded account by reformatting the backup drive as well. Only then did the department discover its backup tapes were also unreadable ...

This kind of backup failure incident happens so often, and the impacts are so serious, that the risk must surely be assessed as high. The obvious controls (professionally designed data backup schemes, change controlled and regularly tested) are not unduly expensive. Is it really that hard to join the dots?

The Information Commissioner has found 11 big-name UK financial institutions in breach of the Data Protection Act for dumping paperwork containing their valued customers' personal details outdoors in waste bins. The investigation was prompted by a complaint by consumer pressure group Scamsdirect, "the indepdendent watchfrog", tagline "Reddit? Shreddit!". :-)

Scamsdirect is promoting an innovative scheme to cut down on fraudulent loan applications: they are encouraging Brits to send their thumbprints to the credit reporting agencies so that the agencies can validate paper-based applications. Some fraudsters may just be foolish enough to send their own thumbprints prior to making a fraudulent application, in which case the good ol' British Bobbies should have little trouble proving the fraudsters' identities ... Well, we can but hope.

Mar 20, 2007

The websites www.cisaca.org and www.cisaca.com which claim to be authorized by ISACA to register candidates for the CISA exam and sell ISACA authored study material, are fraudulent according to ISACA.

Neither these web sites nor their owners are affiliated in any way with or endorsed by ISACA, nor have they been authorized as registrars for the CISA exam or as distributors of any CISA study materials.

Registration for the CISA exam or study aid purchase made through www.cisaca.org or www.cisaca.com, is NOT valid. ISACA is not responsible for any refund of registration fees or study materials purchased through these sites. The only legitimate online exam registration and study aid purchase web site is www.isaca.org.

Anyone that has been deceived by these web sites is asked to contact ISACA International Headquarters' certification department (certification@isaca.org) and provide the following information: their name, email address, to whom the payment was made, the amount paid, the exam registered for, and the web site accessed to register for the exam. ISACA highly encourages you to contact the ISACA certification department regarding registration for future CISA (or indeed CISM) exams.

This looks like a classic "domain lookalike" fraud or phishing incident, unusual only in that it involves an IT audit organization. The fraudsters are evidently looking for new/softer targets having milked the naive customers of most financial institutions for all they are worth. I guess trademark infringement may be enough for ISACA to get the copycat sites shut down ... eventually ...

Mar 19, 2007

The State of Malware is not, in fact, the name of some obscure far-off land where computers misbehave but the title of a free SANS webcast on Wednesday March 21st,1:00 PM EDT (1700 UTC).

Over the course of the past two years, information technology has seensome amazing advances. Unfortunately, malware authors are keeping pacewith the industry. This webcast will reveal what's really going on "outthere" - from sophisticated phishing "worms" to a disturbing increasein Trojans, extensive bot networks and new polymorphic viruses. Methodsof distribution are changing, too. For example, new Web technologiesare making it easier than ever to disseminate malware. So what can wedo? The webcast will also cover methods of detection and prevention,including behavioral analysis and site reputation.

You need a free SANS portal account and either Real Audio Player or Windows Media Player to access this SANS webcast and the archive of past webcasts.

Mar 15, 2007

Disk drive manufacturers quote MTBF (Mean Time Between Failures) of around a million hours under ideal conditions, suggesting a failure rate of less than 1% per year, but some studies show significantly worse performance (2-10% failure p.a.) in the Real World™. It seems the “bathtub” reliability curve has a sharply upward sloping or even stepped bottom, not the long flat period of stability often assumed.

If your data are vital and their availability is critical, the studies suggest the value of monitoring drive age, error rates and temperatures carefully. Also techniques such as RAID will help. However, the unpredictability of disk failure also implies the need to have contingency plans, backups and hot-swappable drives. Or, if money is no object, solid state disks might be the way to go (plus cosmic ray shielding!).

The latest update US CERT Cybertip covers antivirus software. As always, the tip sheet explains the basics in simple language, aiming at a non-technical audience. It is covered by a copyright license stating "You are permitted to reproduce and distribute documents on this web site in whole or in part, without changing the text you use, provided that you include the copyright statement or "produced by" statement and use the document for noncommercial or internal purposes.", in other words you can reproduce and distribute it within your organization with attribution to CERT but you (and we!) may not sell it on.

Mar 13, 2007

Antivirus vendors have been talking-up the malware threat to mobile devices such as smart phones and PDAs for a few years now. Naturally, those who offer antivirus software for such devices tend to be more vociferous about the problem but there comes a point when it's time to take their warnings seriously.

Kaspersky's summary of current mobile malware risks identifies trends during 2006 that point to the possibility of this getting serious before too long. The number of mobile viruses increased steadily from ~120 to ~180 in the year, still way short of the epidemic virus numbers seen on PC platforms. Of more interest is a perceived change in the nature of the threat, namely more emphasis on stealing money rather than simply annoying users. If true, that observation mirrors what others are saying about identity theft and other criminal activities in general in relation to information security incidents.

[That said, I feel pretty safe out here in the depths of rural New Zealand, several miles outside mobile coverage. We use jungle drums not cellphones.]

Taylor & Francis has made numerous issues of the ISC2's official organ, the Information Systems Security journal, available for free, at least for the moment. They also made EDPACS available for a while but that freebie ended a week ago, I believe. In other words, take the opportunity today to browse the journal and download/read any interesting articles now before it's too late and you need to subscribe.

The Daily Mail is reporting that the British government is cooking up a cunning plan to sell personal data from the national identity card scheme to 'banks and other businesses' at 60p a pop. Please form an orderly queue. The idea is to offset the ID card scheme costs with some income. How very entrepreneurial of them. How very New Labour.

I assume the government has taken the privacy and legal implications fully into account. Presumably the system is perfectly secure. Presumably it has an opt-out field for those crazy Brits who are less than enamoured of the idea. Presumably the Data Protection Registrar is right behind the government on this one. Presumably there's no conflict with the Data Protection Act and Human Rights Act. Presumably squadrons of pigs are flying over parliament ...

Mar 12, 2007

The Australian Attorney-General, no less, has released a booklet of advice for small businesses called Good Security - Good Business. Contingency and continuity planning is the main subject with a little risk analysis thrown in for good measure.

Whilst I have no problem with the government producing useful booklets, I hope they are doing rather more than that to promote good security practices.

Mar 8, 2007

Over the past few months, the "Storm" worm has taken the idea of polymorphism to new extremes. To understand the context, here's a little history.

Once upon a time long long ago, cunning virus authors discovered they cold fool the early antivirus programs simply by making insignificant changes in their code. Adding the odd "null command", pointless loops or whatever was enough to make 'variants' that escaped detection, for a while anyway until the equally cunning antivirus analysts caught on, figuring out how to unravel the variations and find the common factors to make reliable virus signatures. Virus variants emerged every few months or weeks.

Next, even more cunning authors of automated virus generating engines added the ability to create variant or "polymorphic" viruses at will. A whole industry of polymoprphic cunningness developed, adding tricks such as self-modifying code, obfuscation and encryption to the pot and spewing out variants by the bucket-load. The antivirus wizz-kids spent their days searching through the layers of obfuscation for invariant code sequences such as the decryption routines, and toyed with the idea of "heuristic scanning" for "virus-like activity". Variants emerged every few weeks or days.

The author of "Storm" took the game to a new level. He/she released a few hundred worm variants simply to test the waters, then an absolute avalance of thousands or tens of thousands of variants all at once, seeded from tens or hundreds of thousands of compromised 'bot' machines all over the net. The worms use highly variable subject lines and code and through sheer numbers alone threaten to overload even the most assiduous antivirus team.

The next chapter in this thriling story is likely to be rather unpleasant.

If you are curious to find out how antivirus products compare, AV-Comparatives.org regularly tests a reasonable selection of products against an up-to-date 'zoo' containing a million malware examples. Their February 2007 report is here.

Mar 6, 2007

Scott Pinzon and colleagues at Watchguard have produced and released some outstanding malware-related security awareness videos. The content is fairly technical but well presented and engaging.

Drive-by downloads demonstrates how simply browsing a malicious or compromised website may infect an inadequately-secured PC. Using Firefox with the NoScript add-in makes this kind of attack less likely compared to a standard Internet Exploder configuration.

Rootkits are explained in three parts (part 1part 2part 3). Avoidance tips in part 3 hint at the issues well-concealed rootkits can create even for security geeks.

Mar 3, 2007

A family of worms known variously as SDBOT, RINBOT, LOXBOT and DELBOT makes rude references in the code to the information security and antivirus companies trying to stamp it out. They spread by guessing/brute forcing simplistic passwords on network shares, or via Instant Messaging. The payload is a backdoor that allows hackers to remote-control compromised machines using IRC (Internet Relay Chat), generally to launch Distributed Denial of Service attacks.

Despite claims of novelty by CNN, these worms have been around for years.

Mar 1, 2007

Sun Microsystems warns that a worm exploiting a security flaw in their Telnet daemon is 'in the wild' i.e. currently infecting Sun systems. Sun has evidently issued a patch but a better solution is, um, not to use Telnet, especially across the Internet. SSH is a simple, much more secure replacement in most situations, using SSL to encrypt the network traffic.

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.